Abstract [en]

Purpose – The paper addresses three main problems resulting from uncertainty in information securitymanagement: i) dynamically changing security requirements of an organization ii) externalities caused by a securitysystem and iii) obsolete evaluation of security concerns.

Design/methodology/approach – In order to address these critical concerns, a framework based on optionsreasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture anddecision-making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy.

Findings – The paper shows through three examples that it is possible to have a coherent methodology, buildingon options theory to deal with uncertainty issues in information security at an organizational level.

Practical implications – To validate the efficacy of the methodology proposed in this paper, it was applied tothe SHS (Spridnings- och Hämtningssystem: Dissemination and Retrieval System) system. The paper introduces themethodology, presents its application to the SHS system in detail and compares it to the current practice.

Originality/value – This research is relevant to information security management in organizations, particularlyissues on changing requirements and evaluation in uncertain circumstances created by progress in technology.